b'OFFICE OF THE CHIEF INFORMATION\n       OFFICER\xe2\x80\x99S BUDGET\n\n         Office of the Secretary\n\n       Report Number: FI-2005-055\n       Date Issued: March 31, 2005\n\x0c           U.S. Department of\n                                                          Memorandum\n           Transportation\n           Office of the Secretary\n           of Transportation\n           Office of Inspector General\n\n\nSubject:   ACTION: Report on Office of the Chief                                          Date:    March 31, 2005\n           Information Officer\xe2\x80\x99s Budget, DOT\n           Report Number: FI-2005-055\n\n  From:    Theodore P. Alves                                                           Reply to\n                                                                                       Attn. of:   JA-20\n           Assistant Inspector General for Financial\n            and Information Technology Audits\n    To:    Chief Information Officer\n\n           This report addresses the results of our audit of the fiscal year (FY) 2005\n           Department of Transportation Office of the Chief Information Officer (OCIO)\n           information technology (IT) budget request for enhancing security, E-Government\n           services, and IT investment management. We conducted this audit in response to\n           a request by the Senate Committee on Appropriations.1\n\n           The Department is responsible for one of the largest IT investment portfolios\n           among civilian agencies, with an annual IT budget of about $2.7 billion. The\n           Clinger-Cohen Act of 1996 requires the Department, as well as other large Federal\n           agencies, to appoint a Chief Information Officer (CIO) to help the Secretary of\n           Transportation manage IT investments effectively and efficiently.\n           According to the Act, the CIO is responsible for providing policy guidance to the\n           Department and ensuring that the Department maximizes its return on IT\n           investments, with a focus on using IT to improve mission performance and service\n           to the public. In the Department, the CIO reports directly to the Secretary and\n           directs the OCIO.\n\n           In November 2002, the Inspector General testified before the Congress that the\n           Department still had a long way to go to adequately secure its computer systems\n           and properly manage its IT investments. The Department had been operating\n           without a CIO for 1\xc2\xbd years before this testimony. In particular, we recommended\n           that the Department quickly appoint a CIO with the authority to provide\n\n\n           1\n               Senate Report (108-146) Accompanying the FY 2004 Appropriation on Transportation, Treasury and Government.\n\x0cDepartment-wide leadership and enforce compliance with security guidance.2 In\nresponse, the Department committed to strengthen its management of IT resources\nand, in March 2003, appointed a CIO.\n\nThe Senate Committee on Appropriations requested this audit due to concerns\nover the significant dollar increase in OCIO budget requests. Table 1 shows the\nrequested and enacted budgets for the OCIO beginning in FY 2001.\n\n\n                     Table 1. History of OCIO Appropriations\n                                   ($ in Millions)\n                    Fiscal Year                  Requested                    Enacted\n                       2001                        $6.9                        $6.2\n                       2002                         6.3                         6.0\n                       2003                        16.1                        13.0\n                       2004                        23.4                        10.0*\n                       2005                        16.7                        10.6\n                * Includes $7.5 million appropriated by the Congress and $2.5 million received from\n                  Operating Administrations through internal reprogramming.\n\n\nThe Committee was also concerned with the high level of generality and\nvagueness in the budget justifications and with the potential for duplicative and\noverlapping IT budget requests between the OCIO and the Department\xe2\x80\x99s\nOperating Administrations (OAs). The Committee directed the Office of\nInspector General (OIG) to submit a report to both House and Senate Committees\non Appropriations assessing plans and progress made by the Department to\nimprove IT security, E-Government services, and IT investment management.\nThe Committee also directed us to evaluate the effectiveness of OCIO efforts to\ncoordinate budget requests with the OAs, which are responsible for acquiring and\noperating the majority of the Department\xe2\x80\x99s IT systems.\n\nOur audit objectives were to determine whether (1) the OCIO\xe2\x80\x99s FY 2005 budget\nrequest was adequately planned and supported, (2) the OCIO and OAs coordinated\nwith each other in preparing the FY 2005 IT budget request to avoid duplicative or\noverlapping items, and (3) progress has been made to strengthen IT investment\nmanagement, improve IT security controls, and implement E-Government services\nin the Department. The audit was conducted in accordance with Government\nAuditing Standards prescribed by the Comptroller General of the United States.\nOur scope and methodology are described in Exhibit A.\n\n\n\n2\n    Report Number CC-2003-027, \xe2\x80\x9cComputer Security Challenges within the Department of Transportation,\xe2\x80\x9d\n    November 19, 2002. OIG Reports can be found on our website: www.oig.dot.gov.\n\n\n                                                        ii\n\x0cRESULTS IN BRIEF\nThe OCIO\xe2\x80\x99s role in Department-wide IT issues has changed dramatically in the\nlast 2 years. Since FY 2003, the OCIO has played a central role in enforcing key\nIT initiatives, such as overseeing IT investment management decisions and\nensuring that IT systems are secured against attack. In addition, the OCIO has\ntaken on more operational responsibilities, including managing the telephone\nswitching center for the Headquarters building and providing integrated network\nservices to the OAs in Headquarters.\n\nWith these changes, however, came significant budgetary consequences that\nOCIO and OAs have not yet adequately addressed in budget presentations. We\nfound that the OCIO needs to significantly improve its budget submission and\noversight of contract services. We also found budget problems associated with the\nplanned consolidation of common systems across OAs.\n\n! First, the OCIO budget request represents only a small portion of the resources\n  managed by the office. The full range of OCIO responsibilities and funding\n  sources has not been adequately presented to the oversight organizations.\n  Specifically, the OCIO has assumed increased operational responsibilities,\n  which has required the OCIO to provide IT services, on a reimbursable basis,\n  to other OAs. The Department\xe2\x80\x99s Working Capital Fund (WCF)3 reimburses\n  OCIO for these additional services. The OCIO budget request did not describe\n  the services it provides to OAs nor the amount of funds expected for\n  reimbursement of those services\xe2\x80\x94$50.8 million. On a combined basis, the\n  OCIO expects to manage resources with a total value of $67.5 million for\n  FY 2005. However, only $16.7 million of the $67.5 million (25 percent) is\n  reflected in its direct budget request.\n\n! Second, although the OCIO had begun efforts to consolidate systems in\n  11 common business areas, the project management and budget responsibilities\n  for these IT consolidation initiatives were not adequately defined. Historically,\n  each OA made its own investment decisions and submitted separate budget\n  requests to fund its system operations. Consolidating systems in common\n  business areas, such as common IT support services or grant management\n  operations, presents cost saving opportunities and helps eliminate the\n  appearance of duplicate budget requests. However, it will require a more\n  centralized approach and adjustments to the Department\xe2\x80\x99s IT project\n  management and budget submission practices.\n\n\n\n3\n    The WCF is used to fund both IT and non-IT administrative services. These services, provided mainly to\n    OAs, were performed by the Transportation Administrative Service Center until FY 2003, when they\n    were reassigned to the OCIO. Each OA contributes to the WCF for the services it receives.\n\n\n                                                    iii\n\x0c! Third, although OCIO\xe2\x80\x99s direct budget requests more than tripled from FY 2002\n  to FY 2004, the requests did not adequately describe the activities to be\n  performed with the requested funds nor the benefits expected. Many of the\n  terms used, such as architecture and E-Government, are not self-defining, and\n  the budget documentation needs to better translate technical terms for the lay\n  reader. Additionally, internal OCIO documentation supporting the OCIO\xe2\x80\x99s\n  budget request did not adequately identify the specific activities, milestones, or\n  resources that would be undertaken. For example, the OCIO requested funding\n  to hire three contractor employees (each costing over $300,000) to help\n  implement the Department\xe2\x80\x99s Enterprise Architecture, but the budget support\n  did not specify any activities requiring such highly skilled expert help.\n\n   In addition to providing more detailed support for its budget estimates, the\n   OCIO also needs to strengthen oversight of contract services. We found one\n   instance where as a result of a series of oversight lapses, the Department\n   obligated approximately $700,000 for an individual\xe2\x80\x99s services without\n   competition and specific measurable products. The OCIO issued a series of\n   22 task order modifications to extend the individual\xe2\x80\x99s service period from\n   6 months to 20 months, which also increased the service charge from $77,000\n   to approximately $700,000. Eight of these modifications were issued\n   retroactively after the services had been performed. Using such high-priced\n   consulting personnel to perform broadly defined work on a nearly full-time\n   basis for almost 2 years was excessive. This inappropriate use of contract\n   service is related to the lack of specific action plans in the budget submission.\n\n! Fourth, the Department needs to implement a robust and consistent\n  management review process for IT investments. The Department, with an\n  annual IT budget of about $2.7 billion, is responsible for one of the largest IT\n  investment portfolios among civilian agencies; however, we found that the\n  OCIO and OAs need to perform more substantive and proactive reviews of IT\n  investments. Further, the OCIO and OAs need to provide the departmental\n  Investment Review Board with adequate information needed to make informed\n  decisions regarding whether or not to approve, modify, or terminate IT\n  investment projects.\n\nThe OCIO\xe2\x80\x99s full responsibilities and funding levels were not reflected in its\nbudget submission. The OCIO\xe2\x80\x99s direct budget request of $16.7 million accounts\nfor only about 25 percent of the resources that will be provided to it during the\nyear. The OAs will reimburse the OCIO for the remaining $50.8 million or\n\n\n\n\n                                         iv\n\x0c75 percent for operational services it will provide. These services include\ntelephone and computer system network services, IT security services, and the\noperation of the consolidated Headquarters IT infrastructure (that is, supporting\ndesktop computers, local area networks, and e-mail transmissions). Table 2 shows\nthe reimbursable services OCIO has received and requested since FY 2003.\n\n\n           Table 2. OCIO Funding Sources by Fiscal Year\n                                      FY 2003     FY 2004      FY 2005\n       OCIO Funding Source            Received    Received    Requested\n       Direct Appropriations          $13.0M      $10.0M       $16.7M\n       Reimbursement by OAs\n       (through the Department\xe2\x80\x99s       $41.7M      $45.8M       $50.8M\n       Working Capital Fund)\n         Total                         $54.7M      $55.8M       $67.5M\n\nThis reimbursement approach complies with appropriations law and is not in itself\ninappropriate. However, because the operational responsibilities and cost\nreimbursements from OAs are not identified in OCIO\xe2\x80\x99s direct budget request, the\noverall budget presentation does not clearly identify the resources provided to\nsupport these important operations.\n\nFor example, OAs are scheduled to reimburse the OCIO through the WCF about\n$29 million in FY 2005 for operating the telephone switching center at the\nHeadquarters building. However, the $29 million is not specified in the OCIO\nbudget request. The current budget presentation does not provide oversight\norganizations, such as the Department\xe2\x80\x99s Office of Budget, the Office of\nManagement and Budget (OMB), and the Congress with the information they need\nto make informed budget decisions about OCIO\xe2\x80\x99s services and resources.\n\nSimilarly, OCIO\xe2\x80\x99s efforts to consolidate office IT infrastructures are not clearly\npresented in the budget. The FY 2005 direct OCIO budget request includes\n$700,000 in direct funding for infrastructure consolidation. However, the OCIO\nalso expects to be reimbursed another $9.3 million from OAs for its IT\nconsolidation efforts. Because the $9.3 million is not reflected in OCIO\xe2\x80\x99s budget\nrequest, oversight organizations lack the information they need to understand the\nscope of this effort and the amount of resources needed. Future OCIO budget\nrequests should fully describe the services to be provided to, and the\nreimbursements expected from, OAs. This will provide oversight organizations\nwith the information needed to understand the planned use of funds at a time when\nbudgetary requirements are shifting.\n\n\n\n\n                                        v\n\x0cBudget implications of DOT\xe2\x80\x99s consolidation efforts need to be better defined.\nAn important departmental initiative is to consolidate multiple systems maintained\nby individual OAs in 11 common business areas, such as common IT support\nservices or grant management operations. The Department invests about\n$300 million annually to operate individual systems in these areas. Consolidating\nsystems in these common business areas presents cost saving opportunities and\nhelps eliminate the appearance of duplicate budget requests. However, it will\nrequire a more centralized approach and adjustments to the Department\xe2\x80\x99s IT\nproject management and budget submission practices.\n\nHistorically, each OA made its own investment decisions and submitted separate\nbudget requests to fund its system operations. The consolidation efforts may\nrequire changes in how budget funds are allocated between OCIO and the OAs. In\nNovember 2004, the Department identified sponsors for each of the 11 common\nbusiness areas. However, these sponsors have neither project management nor\nbudget authority over individual OA systems. The Department needs to complete\nanalyzing performance gaps and recommending how these systems should be\nconsolidated and managed. In addition, the OCIO should ensure that future-year\nbudget submissions reflect the planned use of anticipated cost savings from these\nconsolidation initiatives.\n\nThe line items in the OCIO\xe2\x80\x99s budget request did not specify the activities to\nbe undertaken. For FY 2005, the OCIO requested $16.7 million\xe2\x80\x94a 67 percent\nincrease from the FY 2004 funding level\xe2\x80\x94to strengthen the Department\xe2\x80\x99s IT\ninvestment management, protect IT systems from attack, and implement\nE-Government services. In several cases, the narrative describing the activities to\nbe undertaken and the benefits to be achieved did not provide enough information\nfor oversight organizations to understand how the funds would be used. For\nexample, to strengthen IT management, the OCIO needs to ensure that OAs fully\nimplement the newly developed capital planning and investment control\nprocedures. However, the budget did not describe what activities the OCIO would\nundertake to do this.\n\nFurther, when we looked at OCIO documents supporting the budget request, we\nfound that, in some cases, the OCIO had not developed sufficiently detailed work\nplans and reliable cost estimates. These are needed so that the OCIO can plan and\nfocus its efforts on continuing to improve IT investment management, IT security,\nand E-Government services. The OCIO budget requests should clearly describe\nthese improvement efforts.\n\nEnhancing IT investment management, IT security, and E-Government services\nwill be a multi-year effort. The OCIO should have a multi-year plan identifying\nthe long-term goals, interim activities, milestones, and resources needed to\nadequately strengthen capital planning and investment control practices\n\n                                        vi\n\x0cthroughout the Department. That plan should then be the basis for annual budget\nrequests. The following paragraphs briefly outline the FY 2005 budget requests\nand the weaknesses we identified in IT investment management, IT security, and\nE-Government services.\n\n! IT Investment Management.         The funding request for IT investment\n  management represents the largest direct OCIO budget increase in FY 2005\xe2\x80\x94\n  from $2 million (FY 2004 enactment) to $5.4 million largely due to additional\n  contractor costs. However, we found that the OCIO\xe2\x80\x99s budget support\n  documentation did not describe the specific activities it planned to undertake to\n  improve IT management practices in the Department. Also, technical terms\n  such as \xe2\x80\x9centerprise architecture,\xe2\x80\x9d are not self-explanatory and need to be\n  described more fully.\n\n   This lack of detailed supporting documentation also made the OCIO\xe2\x80\x99s cost\n   estimates questionable. For example, in reviewing support documentation\n   used to develop its funding request, we found the OCIO planned to hire three\n   technical experts (at over $300,000 each) to help implement the Department\n   Enterprise Architecture, but the OCIO had not prepared a work plan specifying\n   what work would be performed by such highly skilled contractors.\n\n   In addition to providing more detailed support for its budget estimates, the\n   OCIO also needs to ensure that it provides adequate oversight to contracts it\n   awards. We found one instance where inadequate oversight of a contract to an\n   individual consultant led to excessive charges. About $700,000 was obligated\n   over 20 months for work that was not competed and largely lacked measurable\n   products. While obtaining expert help is a legitimate use of contract services,\n   management should be mindful that it needs to seek competition and\n   effectively use resources. In this case, because management did not identify\n   specific requirements the contractor was to meet, it was not in a position to\n   ensure that it received the best value from the services provided by the\n   contractor.\n\n   As a result of a series of contract oversight lapses, the Department awarded\n   approximately $700,000 for the individual\xe2\x80\x99s services without competition. The\n   OCIO avoided competition by directing an existing contractor to hire the\n   individual as a sub-contractor. The Statement of Work for this individual\xe2\x80\x99s\n   services was also broadly worded and did not define specific task-oriented\n   deliverables. For example, the individual was asked to advise the OCIO on\n   ways to improve the IT capital planning and enterprise architecture\n   development process. However, instead of delivering reports identifying\n   improvement opportunities, the individual was only required to provide\n\n\n\n\n                                        vii\n\x0c   undefined weekly status reports. Consequently, the Department could not\n   objectively evaluate the individual\xe2\x80\x99s performance.\n\n   Also, the contract was allowed to grow to excessive levels without\n   competition. The OCIO issued a series of 22 modifications to the task order\n   that extended the service period from 6 months to 20 months and increased the\n   cost of the individual\xe2\x80\x99s services from $77,000 to approximately $700,000.\n   Eight of these modifications were issued retroactively after the services had\n   been performed. Using such high-priced consulting personnel to perform\n   broadly defined work on a nearly full-time basis for almost 2 years was\n   excessive.\n\n   This inappropriate use of contract service is related to the lack of specific\n   action plans in the budget submission. Future budget requests should be\n   supported by more detailed plans describing needed activities, milestones, and\n   resource requirements. These plans should then be used to award contracts\n   with clearly defined product deliverables. In addition, both the OCIO and the\n   Office of Acquisition, which is responsible for contract administration, need to\n   develop an action plan to strengthen oversight of contract services.\n\n! IT Security. The funding request for IT security increased from $3.7 million\n  (FY 2004 enactment plus reprogramming) to $4.8 million in FY 2005. Under\n  the OCIO\xe2\x80\x99s leadership, the Department has strengthened IT security protection\n  significantly in two areas\xe2\x80\x94protecting IT infrastructure against attacks from the\n  Internet and increasing the percentage of IT systems certified as having\n  adequate security to support OA missions. However, both the OCIO and the\n  OAs requested funding to protect IT infrastructure in the FY 2005 budget\n  request.\n\n   Specifically, one of the planned activities in the OCIO\xe2\x80\x99s FY 2005 budget\n   request was to install advanced vulnerability remediation and patch\n   management software (estimated to cost $2 million) to protect the\n   Department\xe2\x80\x99s IT infrastructure. About 90 percent of the installation will be on\n   the Federal Aviation Administration (FAA) network computers. We found\n   that FAA is pursing a similar solution, and the two requests had not been\n   properly coordinated. The OCIO stated that its request is necessary to ensure\n   consistent oversight of all OA infrastructure. However, considering today\xe2\x80\x99s\n   tight budget environment, the OCIO should avoid duplicate funding requests\n   between the OCIO and OAs by ensuring OAs coordinate with the OCIO for\n   performing similar tasks, such as evaluating and remediating network\n   vulnerabilities with different software tools.\n\n\n\n\n                                       viii\n\x0c! E-Government Services. The OCIO budget request for E-Government services\n  increased from $1.3 million in FY 2004 to $2.1 million in FY 2005. The\n  request covered two activities:       consolidating the Department\xe2\x80\x99s IT\n  infrastructure and supporting OMB E-Government initiatives. In both cases,\n  the budget contained only high-level general statements about how the funds\n  would be used.\n\n   The OCIO needs to ensure that its IT infrastructure consolidation effort is\n   carefully planned and justified.        The budget request decreased from\n   $0.8 million in FY 2004 to $0.7 million in FY 2005. However, the budget\n   narrative provides little information for oversight organizations to understand\n   the nature and scope of the proposed effort. In fact, the current IT\n   infrastructure consolidation effort only addresses the Department\xe2\x80\x99s\n   Headquarters operations, which accounts for about 15 percent of the\n   Department\xe2\x80\x99s annual investment in IT infrastructure, $192 million. The OCIO\n   expects an 18 percent to 26 percent reduction in costs from consolidating the\n   IT infrastructure at the Headquarters, based on industry averages. While we\n   agree that such consolidation presents a cost-saving opportunity, we are\n   concerned that the OCIO has not tailored the industry cost saving average\n   based on the Department\xe2\x80\x99s needs and has not determined how the anticipated\n   savings would be reflected in future-year budget submissions.\n\n   Duplicate IT infrastructures exist not only at the departmental Headquarters but\n   also at FAA Headquarters and OA field offices. For example, FAA uses about\n   10 separate network infrastructures to support its Headquarters operations.\n   Four OAs with field offices co-located in San Francisco use separate networks\n   to stay connected with the departmental Headquarters. A Department-wide\n   consolidation could be expected to generate significant additional savings. The\n   OCIO needs to perform an analysis of the savings that could be achieved from\n   consolidating the entire Department for the departmental Investment Review\n   Board\xe2\x80\x99s consideration.\n\n   In addition, there is a related management issue concerning one of OMB\xe2\x80\x99s\n   E-Government initiatives. The OCIO budget request to support OMB\xe2\x80\x99s\n   E-Government initiatives increased from $0.5 million (FY 2004 enactment) to\n   $1.4 million. The Department is participating in 15 of the 24 OMB-sponsored\n   E-Government initiatives and is generally on, or slightly behind, planned\n   implementation schedules, except for the E-payroll initiative.\n\n   OMB initially required the Department to start using another agency\xe2\x80\x99s\xe2\x80\x94the\n   Department of the Interior\xe2\x80\x99s\xe2\x80\x94payroll system to support the Department\xe2\x80\x99s\n   operations in October 2004. This initiative has proven to be more complicated\n   than originally envisioned. First, since the Interior\xe2\x80\x99s system provides\n   integrated payroll and personnel services, the Department decided to migrate\n\n                                        ix\n\x0c      both operations.      Second, converting FAA operations requires system\n      modifications because FAA is exempted from Title 5 of the United States\n      Code. As a result, OMB agreed to revise the target completion date to October\n      2005. This change has caused a cost increase estimated by the Deputy Chief\n      Financial Officer to be at least $2 million.\n\n      The E-payroll project is managed by the Office of the Assistant Secretary for\n      Administration with support from the OCIO and the Assistant Secretary for\n      Budget and Programs/Chief Financial Officer under the direction of an\n      executive steering committee.5 An internal review indicated that the E-payroll\n      initiative was not properly planned and may lack the necessary resources to\n      meet the stated completion dates. We would expect that a primary focus in\n      FY 2005 would be to improve oversight of this project. The OCIO needs to\n      work with the executive steering committee to complete and implement a\n      detailed action plan to address weaknesses in the E-payroll project and submit\n      the plan to the House and Senate Committees on Appropriations, as directed by\n      the Senate.6\n\nThe Department needs to implement a robust and consistent review process\nfor IT investments. The departmental Investment Review Board was not\nperforming substantive and proactive reviews of IT investments. The Investment\nReview Board reviewed 10 major projects, with a total life-cycle cost of $7.5\nbillion, through September 2004. However, we determined that for 3 of the 10\nprojects, known management problems were not presented to the Investment\nReview Board. This happened because OAs were not presenting the Investment\nReview Board with adequate information needed to make informed decisions\nabout whether to approve, modify, or terminate projects.\n\nIn addition, more needs to be done to ensure adequate investment review by OA\nmanagement. The Department\xe2\x80\x99s guidance authorizes each OA to establish its own\nreview board to review IT investment projects. The departmental Board reviews\nonly major investments\xe2\x80\x94projects exceeding certain dollar thresholds or those\ndeemed to have a significant impact on departmental missions. IT investments not\nmeeting these criteria are deemed non-major. These investment projects, totaling\n\n5\n    The E-payroll executive steering committee is composed of representatives of the Assistant Secretary for\n    Administration, the Assistant Secretary for Budget and Programs/Chief Financial Officer, departmental Chief\n    Information Officer, the Federal Aviation Administration, and the Federal Highway Administration (who represents\n    all remaining OAs).\n6\n    Transportation, Treasury and General Government Appropriations Bill, 2005; Senate Report 108-342; September 15,\n    2004. The Committee directs the OCIO working with the Assistant Secretary for Administration to submit a plan to\n    the House and Senate Committees on Appropriations within 90 days of appropriations enactment that addresses the\n    weaknesses identified by the Inspector General as they relate to E-payroll. The plan at a minimum shall include:\n    (1) the original cost, (2) the original scope of the project, (3) any deviation from the original scope, (4) all cost\n    increases over the original cost, (5) the estimated cost of completion, and (6) specific steps taken to improve project\n    oversight and accountability.\n\n\n                                                             x\n\x0c$600 million, should have been reviewed by OA boards in accordance with the\nDepartment\xe2\x80\x99s policy. However, we found that non-major projects were not\nadequately reviewed. The OCIO needs to ensure that OAs follow departmental\nguidance in reviewing and managing all IT investments.\n\nIn response to concerns we raised, the Department has taken steps to strengthen IT\ninvestment management reviews. In September 2004, the OCIO updated its\ncriteria for selecting at-risk projects for the departmental Investment Review\nBoard\xe2\x80\x99s review and issued specific guidance addressing the need for OAs to\nreview non-major IT investments. In October 2004, the Investment Review Board\nalso decided to consider a project\xe2\x80\x99s original baseline in evaluating project risks.\n\n\nSUMMARY OF RECOMMENDATIONS\n   \xe2\x80\xa2 To provide adequate information for oversight organizations\xe2\x80\x99\n     decision-making, we are recommending that the OCIO disclose the full\n     range of OCIO responsibilities and other sources of funding, including the\n     departmental Working Capital Fund, in future-year budget submissions.\n\n   \xe2\x80\xa2 To prepare for the FY 2007 budget review, we are recommending that the\n     OCIO complete performance gap analyses for the proposed consolidation\n     of common systems by June 2005 for the departmental Investment Review\n     Board\xe2\x80\x99s consideration and keep the House and Senate Committees on\n     Appropriations informed of the planned actions.\n\n   \xe2\x80\xa2 To enhance future budget submissions, we are recommending that the\n     OCIO develop a multi-year plan for continued enhancement of IT\n     investment management, IT security, and E-Government services;\n     strengthen oversight of contractors work; and better coordinate with OA\n     CIO offices to avoid duplicate funding requests for performing similar\n     services.\n\n   \xe2\x80\xa2 To implement the E-Government initiatives, we are recommending that the\n     OCIO refine the cost saving estimates (18 percent to 26 percent based on\n     the industry average) for the planned consolidation of the Headquarters IT\n     infrastructure; work with the E-payroll executive steering committee to\n     strengthen oversight of the planned conversion to the Department of the\n     Interior\xe2\x80\x99s payroll system; and submit the action plan for increased\n     oversights to the House and Senate Committees on Appropriations, as\n     directed by the Senate committee.\n\nA complete list of our recommendations can be found on pages 12 and 13 of this\nreport.\n\n\n                                        xi\n\x0cAGENCY COMMENTS\nWe provided the OCIO with a draft of this report on March 1, 2005, and the OCIO\nprovided a written response on March 30, 2005. The OCIO concurred with all\nnine recommendations and provided corrective action dates for recommendations\n4 and 7. OCIO requested we modify page ix of our report to read \xe2\x80\x9cthe OCIO\nstated that its request is necessary to ensure consistent oversight of all OA\xe2\x80\x99s\ninfrastructure. However, considering today\xe2\x80\x99s tight budget environment, the OCIO\nshould have insisted that the FAA coordinate their activities to determine the most\ncost effective way to meet the DOT requirement.\xe2\x80\x9d We have modified our report to\nreflect the intent of this requested change.\n\nACTION REQUIRED\nIn accordance with Department of Transportation Order 8000.1C, we request that\nyou provide specific corrective action dates for recommendations 1, 2, 3, 5, 6, 8,\nand 9 within 30 days.\n\nWe appreciate the courtesies and cooperation of the Department of\nTransportation\xe2\x80\x99s OCIO representatives during this audit. If you have any\nquestions concerning this report, please call me at (202) 366-1496 or Rebecca C.\nLeng, Deputy Assistant Inspector General for Information Technology and\nComputer Security, at (202) 366-1488.\n\n                                        #\ncc:   Martin Gertel, M-1\n\n\n\n\n                                        xii\n\x0c                               TABLE OF CONTENTS\n\n\n\nFINDINGS .............................................................................................. 1\n    The OCIO Needs To Identify Its Full Responsibilities\n    and Funding in Budget Request........................................................ 1\n    Budget Implications of the Department\xe2\x80\x99s System\n    Consolidation Efforts Need To Be Better Defined............................. 2\n    The OCIO Needs To Specify the Activities To Be\n    Undertaken in Its Budget Request .................................................... 4\n    The Department Needs To Implement a Robust and\n    Consistent Management Review Process for IT\n    Investments ..................................................................................... 10\n\nRECOMMENDATIONS........................................................................ 12\n\nAGENCY COMMENTS AND OFFICE OF INSPECTOR\nGENERAL RESPONSE....................................................................... 13\n\nACTION REQUIRED............................................................................ 16\n\nEXHIBIT A. SCOPE AND METHODOLOGY ..................................... 17\n\nEXHIBIT B. MAJOR CONTRIBUTORS TO THIS\nREPORT .............................................................................................. 18\n\nAPPENDIX. AGENCY COMMENTS................................................... 19\n\x0c                                                                                    1\n\n\n\n\nFINDINGS\n\nThe OCIO Needs To Identify Its Full Responsibilities and Funding in\nBudget Request\nOur review of the Office of the Chief Information Officer\xe2\x80\x99s (OCIO) budget found\nthat its direct appropriation request represents only a small portion of the resources\nmanaged by OCIO. In addition to direct appropriations, the OCIO receives\nreimbursements from the Operating Administrations (OAs) through the\nDepartment\xe2\x80\x99s Working Capital Fund (WCF). While these reimbursements\naccount for about 75 percent of the resources OCIO controls, they are not reflected\nin its FY 2005 budget request of $16.7 million. Specifically, an additional\n$50.8 million will be provided to the OCIO from the Department\xe2\x80\x99s WCF in\nFY 2005.\n\nTable 2 on page v shows the source of the majority of OCIO\xe2\x80\x99s resources since\nFY 2003, when it was made responsible for providing operational services.\n\nThe WCF was created to fund common administrative services provided to the\nvarious OAs. The fund is financed through negotiated agreements with the OAs.\nAlthough the program was renamed the Transportation Administrative Service\nCenter in fiscal year (FY) 1997, its activities were moved back to the WCF during\nFY 2003.\n\nThe OCIO provides services to the OAs through the WCF in five major areas:\n(1) operating the Headquarters telephone switching center, (2) operating the\nconsolidated IT infrastructure, (3) supporting WCF administrative functions,\n(4) operating the departmental computer network, and (5) providing IT security.\nTable 3 is a breakout of WCF items for OCIO for FYs 2004 and 2005.\n\n\n           Table 3. Funding for OCIO Working Capital Fund\n                           Responsibilities\n              Working Capital Fund Items                      FY 2004 FY 2005\n  Operate HQ\xe2\x80\x99s Telephone Switching Center                      $22.7M $28.8M\n  Operate Consolidated IT Infrastructure                         6.5M    9.3M\n  Support Common WCF Administrative Functions                    7.6M    7.4M\n  Operate Departmental Network                                   3.1M    3.3M\n  Provide IT Security                                            2.1M    2.0M\n                                                               $42.0M $50.8M\n  Discontinued Services                                          3.8M      0M\n   Total                                                       $45.8M $50.8M\n\x0c                                                                              2\n\n\n\nThe OCIO is reimbursed through the Department\xe2\x80\x99s WCF for IT services it\nprovides to the entire Department. For example, OAs are scheduled to reimburse\nthe OCIO about $29 million in FY 2005 for operating the telephone switching\ncenter at the Department\xe2\x80\x99s Headquarters building. Other WCF responsibilities\nassigned to the OCIO include managing the Department\xe2\x80\x99s integrated network\nservices, providing IT security protection, and establishing a consolidated IT\ninfrastructure to support OAs\xe2\x80\x99 day-to-day office automation needs. However, the\nOCIO budget request did not describe the specific services it provides to OAs or\nthe specific amounts it expects to be reimbursed for those services.\n\nAs a result, oversight organizations, such as the Department\xe2\x80\x99s Office of Budget,\nthe Office of Management and Budget (OMB), and the Congress, lack the\ninformation they need to make informed budget decisions about the OCIO\xe2\x80\x99s\nservices and resources. The OCIO budget request should describe in full the\nservices to be provided to OAs and the reimbursements expected from OAs.\n\n\nBudget Implications of the Department\xe2\x80\x99s System Consolidation\nEfforts Need To Be Better Defined\nIdentifying opportunities to consolidate systems in common business areas is a\nmajor departmental FY 2005 initiative. However, these efforts are in an early\nstage of implementation and still present challenges to the Department.\n\nThe Department developed the Modernization Blueprint in September 2003. The\nblueprint cites the need to consolidate common departmental IT investments.\nAfter reviewing areas that could be consolidated, the OCIO and OAs identified\nopportunities to streamline systems in 11 business areas, as are outlined in\nTable 4. In November 2004, the Department identified sponsors for each of the\n11 common business areas. However, these sponsors have neither project\nmanagement nor budget authority over individual OA systems. The Department\nneeds to complete analyzing system requirements and performance gaps and\nrecommending how these systems should be consolidated and managed. In\naddition, the OCIO should ensure that future year budget submissions reflect the\nplanned use of anticipated cost savings from these consolidation initiatives.\n\x0c                                                                                                                    3\n\n\n\n                      Table 4. Common Investments Identified\n                             In FY 2006 Business Cases\n         Business Areas                      No. of             Consolidated                  Amount of\n                                            Current             Business Case               FY 2006 Budget\n                                            Systems             Submitted for                   Request\n                                                                  FY 2006                    (in Millions)\n    1    Enterprise\n         Architecture                            11                      Yes                            $     7.2\n    2    Enterprise Document\n         Management                           TBD*                       Yes                                  9.6\n    3    Financial Management                  26                        Yes                                 45.0\n    4    Grants Management                      5                        Yes                                  7.3\n    5    Interfaces to\n         International Trade\n         Data System                          TBD*                       Yes                                  0.1\n    6    Intermodal Hazardous\n         Materials                            TBD*                       Yes                                  0.5\n    7    IT Infrastructure                     61                        Yes                                214.6\n    8    Recruitment                          TBD*                       Yes                                  0.2\n    9    Internal Rulemaking\n         Management                              3                       No                                   0.4\n    10   Procurement\n         Management                               9                      No                                 5.5\n    11   Training                                18                      No                                 8.3\n          Total                                                                                         $ 298.7\n*TBD = To Be Determined\n\nFor the FY 2006 budget submission, the Department has decided to continue\nrequesting separate funding for the 11 business areas. However, as an initial step\nto consolidation, in September 2004, the Department prepared consolidated\nbusiness cases (Exhibit 300) for 8 of 11 business areas, listing all individual\nsystems and corresponding funding sources.7 The departmental Investment\nReview Board requested the OCIO and the OAs to analyze and compare each\nsystem\xe2\x80\x99s capability, identify performance deficiencies, and develop a unified\napproach to eliminate duplication.\n\nWe view this as a critical step in consolidating common systems and achieving\ncost reductions. However, the OCIO needs to coordinate with the OAs to develop\nwork plans and timetables for analyzing the systems, analyzing performance gaps,\nand recommending how these systems should be consolidated and managed. In\n\n7\n    The Department plans to submit consolidated business cases for the remaining three business areas for the FY 2007\n    budget cycle.\n\x0c                                                                                                          4\n\n\naddition, the OCIO should ensure that future-year budget submissions reflect the\nanticipated cost savings that will be achieved from consolidations and describe\nhow the savings will be put to better use on other projects or activities.\n\nWithout such analysis, the Department does not know what cost reductions can be\nachieved from consolidating these systems or the implications for future OCIO\nand agency budgets. Quantifying the budgetary impact should provide additional\ninsight to the Appropriations Committees and OMB about the potential to reduce\ncosts. Congress should be fully informed of the Department\xe2\x80\x99s planned actions and\nassociated budget implications.\n\n\nThe OCIO Needs To Specify the Activities To Be Undertaken in Its\nBudget Request\nIn FY 2004, the Senate and House Committees on Appropriations did not approve\nthe OCIO increased funding request due to the high level of generality and\nvagueness presented in its budget justification. In response to the Committees\xe2\x80\x99\nrequest, we reviewed the support documentation for the OCIO\xe2\x80\x99s FY 2005 budget\nrequest of $16.7 million\xe2\x80\x94a 67 percent increase over the amount enacted in\nFY 2004. The request included funds to strengthen IT investment management,\nimprove IT security controls, and implement E-Government services. We found,\nin several cases, that the OCIO direct budget request lacked clarity and specificity\nbecause it was not supported by detailed work plans and reliable cost estimates.\nTable 5 outlines the OCIO budget for FY 2004 and FY 2005.\n\n                Table 5. OCIO FY 2004 and FY 2005 Budgets\n                                                                                         FY 2005\n                     Budget Items                            FY 2004 Enacted\n                                                                                        Requested\n  IT Investment Management\n  --Develop Enterprise Architecture                           $0.7M                   $2.3M\n  --Implement Capital Planning Controls                         0.9M                    2.3M\n  --Develop IT Strategic Management                             0.4M                    0.8M\n                                                              --------     $2.0M      --------    $5.4M\n  IT Security*\n  --Protect IT Infrastructure                                   2.7M                    3.4M\n  --Develop Common Access Architecture                          0.1M                    0.9M\n  --Promote DOT-wide Security Projects                          0.9M                    0.5M\n                                                              --------         3.7M   --------    4.8M\n  E-Government\n  --Consolidate Agencies\xe2\x80\x99 IT Infrastructure                     0.8M                    0.7M\n  --Support OMB E-Government Initiatives                        0.5M                    1.4M\n                                                              --------      1.3M      --------     2.1M\n  Resource Management/OST IRM Services                                      3.0M                   4.4M\n  Total                                                                   $10.0M                 $16.7M\n    * FY 2004 figure includes $2.5M from OAs through internal reprogramming.\n\x0c                                                                                   5\n\n\nAlthough the OCIO direct budget requests more than tripled between FY 2002 and\nFY 2004, we found, in several cases, that the FY 2005 request did not adequately\ndescribe the activities to be performed with the requested funds. The descriptions\nof activities to be funded are at a high level of generalization and do not specify\nthe activities to be undertaken or the benefits expected. Further, because many of\nthe terms used, like architecture and E-Government, are not self-defining, the\nbudget justification needs to better translate technical terms for the lay reader.\n\nInternal OCIO documentation supporting its budget request also did not include\nspecific activities, milestones, and resources that would be undertaken. For\nexample, neither the OCIO\xe2\x80\x99s FY 2005 budget request nor supporting documents\ndescribed the specific activities the OCIO planned to improve IT management\npractices. In one case, we identified an overlapping IT security investment\nbetween OCIO and the Federal Aviation Administration (FAA).\n\nThe Department has made significant progress in implementing IT Investment\nManagement, IT Security, and E-Government services; however, much more\nneeds to be done to ensure that it manages its information resources efficiently and\neffectively. The OCIO needs to focus its efforts on continuing to improve in each\nof the three key areas, and its budget requests should clearly support these\nimprovement efforts. To accomplish this, the OCIO budget requests should be\nclosely linked to a multi-year plan that depicts not only the long-term goals but\nalso the interim activities, milestones, and resources needed to ensure continued\nimprovement in each area. Equally important is that when OCIO and OAs request\nfunds for similar activities, the budgets need to be coordinated to eliminate overlap\nand duplication.\n\n\nOCIO Budget Request Did Not Adequately Describe Its Investment\nManagement Efforts\nThe funding request for IT investment management represents the largest\nrequested OCIO budget increase in FY 2005\xe2\x80\x94from $2 million (FY 2004\nenactment) to $5.4 million. This increase is largely due to additional contractor\ncosts for supporting the Department\xe2\x80\x99s enterprise architecture (a blueprint for IT\nmodernization efforts) implementation, as well as capital planning tools.\nHowever, we found that the OCIO\xe2\x80\x99s budget support documentation did not\ndescribe the specific activities planned to improve IT management practices in the\nDepartment. Instead, the supporting documentation described only broad areas,\nsuch as implementing the enterprise architecture. This lack of specificity also\nmade OCIO\xe2\x80\x99s cost estimates questionable.\n\nFor example, OCIO requested funding to hire three contractor employees (each\ncosting over $300,000) to help implement the Department\xe2\x80\x99s enterprise\n\x0c                                                                                  6\n\n\narchitecture, but the budget support did not specify any activities requiring such\nhighly skilled help. Without defining specific activities for contractors, OCIO is\nunable to effectively oversee them because there are no performance measures.\n\nIn addition to providing more detailed support for its budget estimates, the OCIO\nalso needs to ensure that it provides adequate oversight to contracts it awards. We\nfound one instance where inadequate oversight of a contract to an individual\nconsultant led to excessive charges. About $700,000 was obligated over\n20 months for work that was not competed and largely lacked measurable\nproducts. While obtaining expert help is a legitimate use of contract services,\nmanagement should be mindful that it needs to seek competition and effective use\nof resources. In this case, because management did not identify specific\nrequirements the contractor was to meet, it was not in a position to ensure that it\nreceived the best value from the services provided by the contractor.\n\nAs a result of a series of contract oversight lapses, the Department awarded\napproximately $700,000 for the individual\xe2\x80\x99s services without competition. The\nOCIO avoided competition by directing an existing contractor to hire the\nindividual as a sub-contractor. The Statement of Work for this individual\xe2\x80\x99s\nservices was also broadly worded and did not define specific task-oriented\ndeliverables. For example, the individual was asked to advise the OCIO on ways\nto improve the IT capital planning and enterprise architecture development\nprocess. However, instead of delivering reports identifying improvement\nopportunities, the individual was only required to provide undefined weekly status\nreports. Consequently, the Department could not objectively evaluate the\nindividual\xe2\x80\x99s performance.\n\nAlso, the contract was allowed to grow to excessive levels without competition.\nThe OCIO issued a series of 22 modifications to the task order that extended the\nservice period from 6 months to 20 months and increased the cost of the\nindividual\xe2\x80\x99s services from $77,000 to approximately $700,000. Eight of these\nmodifications were issued retroactively after the services had been performed.\nUsing such high-priced consulting personnel to perform broadly defined work on a\nnearly full-time basis for almost 2 years was excessive.\n\nThis inappropriate use of contract service is related to the lack of specific action\nplans in the budget submission. Future budget requests should be supported by\nmore detailed plans describing needed activities, milestones, and resource\nrequirements. These plans should then be used to award contracts with clearly\ndefined product deliverables. In addition, both the OCIO and the Office of\nAcquisition, which is responsible for contract administration, need to develop an\naction plan to strengthen oversight of contract services.\n\x0c                                                                                 7\n\n\nGreater Disclosure and Coordination Is Needed To Prevent Overlapping IT\nSecurity Requests\nThe funding request in the IT security area increased from $3.7 million (FY 2004\nenactment plus reprogramming) to $4.8 million. In addition, the OCIO is\nexpecting to receive about $800,000 of WCF reimbursements from the OAs for\nproviding IT security services. While OCIO\xe2\x80\x99s direct budget was supported by\ndocumentation containing specific work plans, there was no supporting work plan\nin the OA or OCIO budget documents describing how the $800,000 OA\nreimbursement would be used. The IT security services the OCIO plans to\nprovide through its direct appropriation and those to be provided through\nreimbursements from the WCF overlap. Both requests were justified on the basis\nthat the OCIO would help protect the Department\xe2\x80\x99s IT infrastructure through\nactivities such as incident detection and vulnerability monitoring.\n\nUnder the OCIO\xe2\x80\x99s leadership, the Department has strengthened IT security\nprotection significantly in two areas\xe2\x80\x94protection of IT infrastructure against\nattacks from the Internet and increasing the percentage of IT systems certified as\nhaving adequate security to support OA missions. Specifically, one of the planned\nactivities in the OCIO\xe2\x80\x99s FY 2005 budget request was to install advanced\nvulnerability remediation and patch management software (estimated to cost\n$2 million) to protect the Department\xe2\x80\x99s IT infrastructure. About 90 percent of the\ninstallation will be on FAA network computers. We found that FAA is pursing a\nsimilar solution, and the two requests had not been properly coordinated. The\nOCIO stated that its request is necessary to ensure consistent oversight of all OA\ninfrastructure. However, considering today\xe2\x80\x99s tight budget environment, the OCIO\nshould avoid duplicate funding requests between OCIO and OAs by ensuring OAs\ncoordinate with OCIO for performing similar tasks, such as evaluating and\nremediating network vulnerabilities with different software tools.\n\nDuring FY 2004, the Congress approved the Department\xe2\x80\x99s reprogramming request\nof $2.5 million to augment OCIO\xe2\x80\x99s budget for protecting the IT infrastructure and\ndoing system certification reviews. Our review of OCIO\xe2\x80\x99s FY 2005 budget\nrequest indicated a shift from doing security certification reviews of agency\nsystems to performing quality assurance reviews of OA security work. We view\nthis as a step in the right direction for maintaining clear division between OCIO\xe2\x80\x99s\nand the OAs\xe2\x80\x99 responsibilities because it more closely aligns the CIO oversight role\nwith the Clinger-Cohen Act.\n\n\nOCIO Needs To Provide Additional Information To Support E-Government\nServices\nThe OCIO\xe2\x80\x99s funding request for supporting OMB\xe2\x80\x99s E-Government initiatives\nincreased from $1.3 million (FY 2004 enactment) to $2.1 million. Two of the\n\x0c                                                                                  8\n\n\nmajor initiatives are to consolidate the Department\xe2\x80\x99s fragmented IT infrastructure\nand to convert the Department to another agency\xe2\x80\x99s payroll system as part of the\nGovernment-wide E-payroll effort. We found that the Department has not\nperformed adequate analysis to identify the full cost-saving potential for\nconsolidating the IT infrastructure and to reflect the anticipated savings in future\nbudget submissions. We also noted a need to enhance project management\noversight of the E-payroll conversion effort to avoid further delays and cost\noverruns.\n\nThe IT Infrastructure Consolidation Is Limited to the Department\xe2\x80\x99s\nHeadquarters. Currently, each departmental OA is responsible for managing its\nown IT infrastructure, such as desktop computers, networks, and e-mail services.\nBased on the FY 2005 budget submission, the Department requests about\n$192 million annually to maintain all of these separate IT infrastructures.\n\nThe OCIO has initiated an effort to replace these fragmented infrastructures at the\ndepartmental Headquarters. It will merge 10 separate IT operating environments,\nthousands of computers, and dozens of networks into a single, common operating\nenvironment. The OCIO expects an 18 percent to 26 percent reduction in costs\nfrom the consolidation, based on industry averages. While we agree that such\nconsolidation presents a cost-saving opportunity, we are concerned that the OCIO\nhas not tailored the industry cost-saving average to the Department\xe2\x80\x99s needs and\nhas not determined how the anticipated savings would be reflected in future-year\nbudget submissions.\n\nAlso, the benefits of the current consolidation are limited because Headquarters\noperations account for only about 15 percent of the Department\xe2\x80\x99s annual\n$192 million investment in IT infrastructure, as is shown in Table 6.\n\n            Table 6. The Department\xe2\x80\x99s Cost of Operating\n                         Separate Networks\n         Non-FAA OAs                                 Cost  Percentage\n           Headquarters                               $28M    15%\n           Field Offices                               53M    27%\n         FAA                                          111M    58%\n          Total                                     $192.M   100%\n\nCurrently, each OA is responsible for requesting funds to operate its own network\ncomputers. As a result, duplicate IT infrastructures exist not only at the\ndepartmental Headquarters but also at FAA Headquarters and OA field offices.\nFor example, FAA uses about 10 separate network infrastructures to support its\nHeadquarters operations. Four OAs with field offices co-located in San Francisco\nuse separate networks to stay connected with the departmental Headquarters.\n\x0c                                                                                                                  9\n\n\nIntegrating these fragmented networks could result in immediate and substantial\ncost savings to the Department. The Department, however, has not performed a\nstudy to determine the full potential cost saving for consolidating the entire\ndepartmental IT infrastructure.8\n\nTo address these issues, the OCIO needs to work with the OAs to perform a\nthorough analysis of the savings that can be expected from the current limited\nconsolidation and the savings that could be achieved by consolidating the IT\ninfrastructure Department-wide. The OCIO should make appropriate proposals in\nfuture budget requests based on this analysis.\n\nOCIO Needs To Complete an Action Plan To Deal With the Delayed\nE-Payroll Project.         The Department is participating in 15 of the\n24 E-Government services initiated by OMB. The Department is on, or slightly\nbehind, planned implementation schedules for all E-Government projects except\nthe E-payroll initiative. Under the E-payroll initiative, OMB initially required the\nDepartment to use the Department of the Interior\xe2\x80\x99s payroll services and\ndiscontinue its own payroll system operations by October 2004.\n\nThis initiative has proven to be more complicated than originally envisioned.\nFirst, since the Interior\xe2\x80\x99s system provides integrated payroll and personnel\nservices, the Department decided to migrate both operations. Second, converting\nFAA operations requires system modifications because FAA is exempted from\nTitle 5 of the United States Code. Also, the Department had to make\narrangements for continued payroll support of employees transferred to the\nDepartment of Homeland Security. As a result, OMB agreed to revise the target\ncompletion date to October 2005. This change has caused a cost increase\nestimated by the Deputy Chief Financial Officer of at least $2 million.\n\nThe E-payroll project is managed by the Office of the Assistant Secretary for\nAdministration with support from the OCIO and the Assistant Secretary for\nBudget and Programs/Chief Financial Officer under the direction of an executive\nsteering committee. An internal review indicated that the E-payroll initiative was\nnot properly planned and may lack the necessary resources to meet the stated\ncompletion dates. The Department is assessing the review results and formulating\na plan to address weaknesses and budget implications within the project. We\nwould expect that a primary focus in FY 2005 would be to improve oversight of\nthis project. The OCIO needs to work with the executive steering committee in\ncompleting and implementing a detailed action plan that addresses weaknesses in\n\n\n8\n    OMB also asked for clarification on the extent to which the FAA network could be used to support the Department-\n    wide network infrastructure in its review of the FY 2006 budget submission. The Department has agreed to further\n    examine this issue.\n\x0c                                                                               10\n\n\nthe E-payroll project and submit the plan to the House and Senate Committees on\nAppropriations, as directed by the Senate.\n\n\nThe Department Needs To Implement a Robust and Consistent\nManagement Review Process for IT Investments\nThe Department, with an annual IT budget of about $2.7 billion, is responsible for\none of the largest IT investment portfolios among civilian agencies. The\nClinger-Cohen Act requires the Department to appoint a CIO responsible for\nensuring cost-effective IT investments, including proper security protection. In\nFY 2003, we reported that the Department appointed a CIO and it increased the\nCIO\xe2\x80\x99s influence over IT decisions by forming the departmental Investment\nReview Board (the Board). The Board, chaired by the Deputy Secretary, has the\nauthority to approve, modify, or terminate major IT investments.\n\nHowever, we concluded that it was too early to judge whether these changes\nwould substantially improve the Department\xe2\x80\x99s oversight of IT investments.\nSpecifically, we were concerned that the Board had focused its reviews on\nDepartment-wide IT projects, such as implementation of a new departmental\naccounting system, and had provided little oversight of OA-specific IT investment\nprojects. This was inadequate, considering that over 90 percent of the\nDepartment\xe2\x80\x99s IT budget is appropriated directly to OAs and a number of their\ninvestments had experienced significant cost overruns and schedule delays in\nrecent years. We were also concerned with the lack of substantive, in-depth\nreview of OA IT budget submissions and poor communications between the Board\nand the OAs.\n\nDuring FY 2004, the Department took corrective actions to enhance the\nmanagement review process. However, more needs to be done.\n\n\nThe Departmental Investment Review Board Needs Better Information To\nReview IT Investments\nThe Board needs better information to perform more substantive and proactive\nreviews of IT investments. The Board has reviewed 10 major projects, with a total\nlife-cycle cost of $7.5 billion through September 2004. However, we determined\nthat for 3 of the 10 projects, known management problems were not presented to\nthe Board. A further review of minutes from Board meetings showed that the\nBoard raised substantive questions about the status of only one project. The Board\nallowed 9 of the 10 projects to continue without modification. Overall, the Board\nwas not being presented with the information it needed to make informed\ndecisions about whether to approve, modify, or terminate projects.\n\x0c                                                                                                      11\n\n\nWe also found that the Board did not include for review key FAA projects with a\nhistory of trouble. In recent years, we have issued audit reports on FAA\xe2\x80\x99s major\nacquisitions involving extensive software development work that required senior\nmanagement level attention.9 We reported that of 20 major acquisitions reviewed,\n13 projects had experienced schedule slips of 1 to 7 years, and 14 projects had\nexperienced cost growth of over $4.3 billion (increasing from $6.8 billion to\n$11.1 billion). Yet, the list of projects reviewed by the Board in FY 2004 did not\ninclude many of those we reported as having cost and schedule problems. In\nresponse to our work, the Board added three of FAA\xe2\x80\x99s major acquisition projects\nto its watch list\xe2\x80\x94the Wide Area Augmentation System, the Standard Terminal\nAutomation Replacement System, and the Integrated Terminal Weather System.\n\nReviewing troubled projects is important, but the Board also needs to monitor\nprojects that have not yet become troubled\xe2\x80\x94exceeding target costs and schedule\nby more than 10 percent. A key objective of the Board should be to prevent\nprojects from breaching the threshold (10 percent overruns) and becoming\ntroubled. This is especially important considering that FAA is beginning a new,\ncostly, and complex acquisition program, the En Route Automation Modernization\nProgram, which will cost billions of dollars to implement and will provide new\nhardware and software for facilities that manage high-altitude traffic.\n\nIn response to concerns we raised, the Department has taken corrective actions to\nstrengthen the IT investment management review. In September 2004, the OCIO\nupdated its criteria for selecting at-risk projects for the Board\xe2\x80\x99s review, including\nprojects with revised baselines and projects showing a negative trend. In October\n2004, the Board also decided to consider a project\xe2\x80\x99s original baseline in evaluating\nproject risks. We will monitor the progress of implementing this new guidance\nand keep senior management and oversight officials informed of the outcome.\n\n\nBetter OA Review of IT Investment Projects Is Needed\nCommunication between the Board and the OAs has improved significantly.\nDuring FY 2004, the Board expanded its membership to include OA\nrepresentatives. The FAA Administrator has joined the Board in reviewing and\napproving major IT investment projects. In addition, the Board created three\nadditional members who will come from the remaining OAs on a rotating basis.\nAlthough the Board benefits from the OAs\xe2\x80\x99 input when reviewing major IT\ninvestment projects, more needs to be done to ensure that OA investment review\nboards operate effectively.\n\n\n9\n    OIG Report Number PT-2004-006, \xe2\x80\x9cThe Department\xe2\x80\x99s Top Management Challenges,\xe2\x80\x9d December 5, 2003, and OIG\n    Report Number AV-2003-045, \xe2\x80\x9cStatus of FAA\xe2\x80\x99s Major Acquisitions,\xe2\x80\x9d June 26, 2003.\n\x0c                                                                                           12\n\n\nThe Department\xe2\x80\x99s guidance authorizes each agency to establish its own\nmanagement board to review IT investment projects. The departmental Board\nreviews only major investments\xe2\x80\x94projects exceeding certain dollar thresholds or\nthose deemed to have a significant impact on departmental missions. IT\ninvestment projects not meeting these criteria are deemed non-major. These\ninvestment projects, totaling $600 million, should have been reviewed by OA\nmanagement boards in accordance with the Department\xe2\x80\x99s policy. However, we\nfound that less than 10 percent of non-major investments were reviewed by OA\nmanagement boards during FY 2004. In September 2004, the OCIO issued\nspecific guidance addressing the need for OAs to review non-major IT\ninvestments as part of the OA investment management review. This needs to be\nenforced throughout the Department. Since we recommended corrective actions\nfor this issue in another audit report,10 we are not making additional\nrecommendations.\n\n\nRECOMMENDATIONS\nTo provide adequate information to oversight organizations so they can make\ninformed budget decisions, we recommend that the Department\xe2\x80\x99s CIO:\n\n       1. Disclose in future budget submissions the full range of OCIO\n          responsibilities and sources of funding, including the IT services provided\n          to and reimbursements expected from OAs through the Working Capital\n          Fund.\n\nTo prepare for the departmental Investment Review Board\xe2\x80\x99s review of the\nFY 2007 budget submission, we recommend that the Department\xe2\x80\x99s CIO:\n\n       2. Complete analyzing performance gaps among duplicate systems in the\n          11 common business areas and, by June 2005, recommend to the\n          Investment Review Board how consolidating these systems should be\n          funded and managed.\n\n       3. Keep the House and Senate Committees on Appropriations informed of the\n          planned actions and ensure the FY 2007 and future-year budget\n          submissions reflect the planned use of anticipated cost savings from these\n          consolidation initiatives.\n\nTo enhance future IT budget submissions and increase the effectiveness of its\noversight of contractors\xe2\x80\x99 work, we recommend that the Department\xe2\x80\x99s CIO:\n\n\n10\n     OIG Report Number FI-2005-001, \xe2\x80\x9cDOT Information Security Program,\xe2\x80\x9d October 1, 2004.\n\x0c                                                                                13\n\n\n   4. Develop a multi-year plan for continued enhancement of IT investment\n      management, IT security, and E-Government services in the Department.\n      The plan should contain interim activities, milestones, and estimated\n      resource needs and be used in estimating annual budget requests.\n\n   5. Work with the Office of Acquisition to develop an action plan to strengthen\n      oversight of contract services and to ensure the Department obtains the best\n      value of services through competition.\n\n   6. Avoid duplicate funding requests between the OCIO and OAs by ensuring\n      OAs coordinate with OCIO for performing similar tasks, such as evaluating\n      and remediating network vulnerabilities with different software tools.\n\nTo implement the E-Government initiatives, we recommend that the Department\xe2\x80\x99s\nCIO:\n\n   7. Refine its cost-saving estimate (18 percent to 26 percent based on industry\n      average) for the planned IT infrastructure consolidation at the departmental\n      Headquarters and reflect the anticipated cost savings in the Department\xe2\x80\x99s\n      FY 2007 and future-year budget submissions.\n\n   8. Estimate the savings that can be achieved through a Department-wide IT\n      infrastructure consolidation, including FAA and OA field offices, for the\n      departmental Investment Review Board\xe2\x80\x99s consideration.\n\n   9. Work with the E-payroll steering committee to develop and implement an\n      action plan to strengthen project management and correct the weaknesses\n      identified for the conversion to the Department of the Interior\xe2\x80\x99s payroll\n      system and submit the plan to the House and Senate Committees on\n      Appropriations, as directed by the Senate committee.\n\n\nAGENCY COMMENTS AND OFFICE OF INSPECTOR GENERAL\nRESPONSE\nWe provided the OCIO with a draft of this report on March 1, 2005, and the OCIO\nprovided a written response on March 30, 2005. The OCIO concurred with all\nnine recommendations and provided corrective action dates for recommendations\n4 and 7. The OCIO requested we modify page ix of our report to read \xe2\x80\x9cthe OCIO\nstated that its request is necessary to ensure consistent oversight of all OA\xe2\x80\x99s\ninfrastructure. However, considering today\xe2\x80\x99s tight budget environment, the OCIO\nshould have insisted that the FAA coordinate their activities to determine the most\ncost effective way to meet the DOT requirement.\xe2\x80\x9d We have modified our report to\nreflect the intent of this requested change.\n\x0c                                                                                  14\n\n\nSpecific comments by the OCIO and its planned actions on our recommendations\nare provided below.\n\nRecommendation 1: The OCIO concurred. The OCIO agrees that it should more\nclearly outline its total financial profile by linking both salaries and expenses and\nthe WCF requests. The OCIO noted the FY 2006 budget request defined in more\ndetail the lines of business. In the future, the OCIO intends to include a more\ndetailed explanation of the full range of sources available to the OCIO.\n\nOIG Response:        The OCIO\xe2\x80\x99s planned actions meet the intent of our\nrecommendation. However, we request that the OCIO provide us with a\ntimeframe for the proposed corrective action.\n\nRecommendation 2: The OCIO concurred. The OCIO agreed that a more\ncomplete gap analysis among duplicate systems is necessary, including\ndocumented funding and management strategies.\n\nOIG Response:        The OCIO\xe2\x80\x99s planned actions meet the intent of our\nrecommendation. However, we request that OCIO provide us with a timeframe\nfor the proposed corrective action.\n\nRecommendation 3: The OCIO concurred. The OCIO will keep the House and\nSenate Appropriations committees informed of planned actions and ensure the\nFY 2007 and future year\xe2\x80\x99s submissions reflect the planned use of anticipated cost\nsavings from these consolidation initiatives.\n\nOIG Response:        The OCIO\xe2\x80\x99s planned actions meet the intent of our\nrecommendation. However, we request that the OCIO provide us with a\ntimeframe for the proposed corrective action.\n\nRecommendation 4: The OCIO concurred. The OCIO agrees that a multi-year\nplan for continued enhancement of IT investment management, IT security, and\nE-Government services in the Department is necessary and that it should contain\ninterim activities, milestones, and estimated resource needs used in estimating\nannual budgets. The OCIO will update and refine the existing Departmental\nInformation Resources Management Plan by September 2005 to address this\nrecommendation.\n\nOIG Response:         The OCIO\xe2\x80\x99s planned actions meet the intent of our\nrecommendation.\n\nRecommendation 5: The OCIO concurred. The OCIO agrees that it must work\nwith the Office of Acquisition to improve competition, strengthen oversight of\ncontractors\xe2\x80\x99 work, and more clearly define specific activities and deliverables.\n\x0c                                                                             15\n\n\nOIG Response:        The OCIO\xe2\x80\x99s planned actions meet the intent of our\nrecommendation. However, we request that the OCIO provide us with a\ntimeframe for the proposed corrective action.\n\nRecommendation 6: The OCIO concurred. The OCIO agrees that OAs must\nimprove coordination with the DOT OCIO to avoid duplicate funding requests for\nperforming similar tasks, such as evaluating and remediating network\nvulnerabilities.\n\nOIG Response:        The OCIO\xe2\x80\x99s planned actions meet the intent of our\nrecommendation. However, we request that the OCIO provide us with a\ntimeframe for the proposed corrective action.\n\nRecommendation 7: The OCIO concurred. The OCIO agrees that it must refine\ncost-savings estimates for the planned IT infrastructure consolidation at the\ndepartmental Headquarters and reflect the anticipated cost savings in the\nDepartment\xe2\x80\x99s FY 2007 and future-year budget submissions. A cost-benefit\nanalysis is expected to be completed by August 2005.\n\nOIG Response:       The OCIO\xe2\x80\x99s planned actions meet the intent of our\nrecommendation.\n\nRecommendation 8: The OCIO concurred. The OCIO agrees that it must\nestimate the savings that can be achieved through a Department-wide IT\ninfrastructure consolidation, including FAA and OA field offices, and that it\nshould present these estimates to the departmental Investment Review Board for\nconsideration.\n\nOIG Response:        The OCIO\xe2\x80\x99s planned actions meet the intent of our\nrecommendation. However, we request that the OCIO provide us with a\ntimeframe for the proposed corrective action.\n\nRecommendation 9: The OCIO concurred. The OCIO agrees that it must work\nwith the E-payroll steering committee to develop and implement an action plan to\nstrengthen project management and correct the weaknesses identified for the\nconversion to the Department of Interior\xe2\x80\x99s payroll system. A report of these\nactions has been provided to the Congressional committees.\n\nOIG Response:        The OCIO\xe2\x80\x99s planned actions meet the intent of our\nrecommendation. However, we request that the OCIO provide us with a\ntimeframe for the proposed corrective action.\n\x0c                                                                               16\n\n\nACTION REQUIRED\nIn accordance with Department of Transportation Order 8000.1C, we request that\nyou provide specific corrective action dates for recommendations 1, 2, 3, 5, 6, 8,\nand 9 within 30 days.\n\x0c                                                                             17\n\n\n\n\nEXHIBIT A. SCOPE AND METHODOLOGY\nThis report addresses the results of our audit of the FY 2005 departmental OCIO\nIT budget requests for enhancing IT security, E-Government services, and IT\ninvestment management. We conducted this audit in response to a request by the\nSenate Committee on Appropriations.\n\nOur review included evaluating the OCIO\xe2\x80\x99s and OAs\xe2\x80\x99 budget documentation and\ninterviewing officials from the OCIO, the OAs, and the Office of the Secretary\nOffice of the Assistant Secretary for Administration. We reviewed documents\nsupporting OCIO-appropriated funds to determine their adequacy in supporting\nplanned activities for IT investment management, IT security, and E-Government\nservice.\n\nWe also reviewed documents transferring funds through the WCF to the OCIO. In\nevaluating documents from the WCF, we focused on determining the full funding\nlevels available to the OCIO through the WCF compared to the direct funds OCIO\nreceived.\n\nIn evaluating whether overlapping or duplication existed in the Department\xe2\x80\x99s\nbudgets, we reviewed the FY 2005 budget request for the Department with\nemphasis on the Department\xe2\x80\x99s IT Investment Portfolio (Exhibit 53) and the\nBusiness Cases (Exhibit 300) being submitted by the Department to OMB. We\nalso reviewed documents and minutes of meetings for the Department\xe2\x80\x99s\nInvestment Review Board to determine whether substantial and proactive reviews\nwere being performed. We met with members of the Senate Committee on\nAppropriations to give them a status report on our audit and obtain their input.\n\nOur audit work was performed between March 2004 and December 2004 at the\nDepartment\xe2\x80\x99s Headquarters in Washington, DC. The audit was conducted in\naccordance with Government Auditing Standards prescribed by the Comptroller\nGeneral of the United States and included a review of internal management\ncontrols over the budget process and such tests as we considered necessary to\nprovide reasonable assurance of detecting abuse or illegal acts.\n\n\n\n\nExhibit A. Scope and Methodology\n\x0c                                                                        18\n\n\n\n\nEXHIBIT B. MAJOR CONTRIBUTORS TO THIS REPORT\n\nTHE FOLLOWING INDIVIDUALS CONTRIBUTED TO THIS REPORT.\n\n\nName                                Title\n  Rebecca Leng                      Deputy Assistant Inspector\n                                     General for IT and Computer\n                                     Security\n   Phil deGonzague                  Project Manager\n   Michael Marshlick                Computer Scientist Advisor\n   Brad Kistler                     Information Technology Specialist\n   Aaron Nguyen                     Computer Scientist\n\n\n\n\nExhibit B. Major Contributors to This Report\n\x0c                            19\n\n\n\n\nAPPENDIX. AGENCY COMMENTS\n\n\n\n\nAppendix. Agency Comments\n\x0c                            20\n\n\n\n\nAppendix. Agency Comments\n\x0c                            21\n\n\n\n\nAppendix. Agency Comments\n\x0c                            22\n\n\n\n\nAppendix. Agency Comments\n\x0c'